1. 首页
  2. 问答
  3. CAS:无法验证ProxyTicketValidator

CAS:无法验证ProxyTicketValidator

2015-04-03 219 views
2

我目前正在尝试设置CAS服务器并使用它登录多个本地应用程序。CAS:无法验证ProxyTicketValidator

CAS服务器(HTTPS):本地主机:8443(这是正常工作)

应用:本地主机:82

,当我去到本地主机:82,它立即重定向到本地主机:8443。当我尝试登录,它返回到localhost:82 /票务= ST-7-THoxHvfK5FoZZsejrSLh-cas01.example.org,但它表明这个错误:

edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localhost:8443/cas/serviceValidate] ticket=[ST-5-oYvT4kciKnE3Ibx1CtRd-cas01.example.org] service=[http%3A%2F%2Flocalhost%3A82%2F] renew=false entireResponse=[ 
..(complete page's HTML code).. 
]]]] 
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52) 
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455) 
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)

当我尝试登录,显示的Tomcat以下在服务器日志中。这表明localhost:82已通过身份验证,对吧?

2015-04-03 09:22:40,544 INFO      [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <AcceptUsersAuthenticationHandler successfully authenticated admin+password> 
2015-04-03 09:22:40,544 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated admin with credentials [admin+password].> 
2015-04-03 09:22:40,544 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN 
============================================================= 
WHO: audit:unknown 
WHAT: supplied credentials: [admin+password] 
ACTION: AUTHENTICATION_SUCCESS 
APPLICATION: CAS 
WHEN: Fri Apr 03 09:22:40 CEST 2015 
CLIENT IP ADDRESS: 127.0.0.1 
SERVER IP ADDRESS: 127.0.0.1 
============================================================= 

> 
2015-04-03 09:22:40,545 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN 
============================================================= 
WHO: audit:unknown 
WHAT: TGT-3-I53UgV3LJICJLLtxgKcAIgSmLniIGCuPZsqWs0jLa146Secypw-cas01.example.org 
ACTION: TICKET_GRANTING_TICKET_CREATED 
APPLICATION: CAS 
WHEN: Fri Apr 03 09:22:40 CEST 2015 
CLIENT IP ADDRESS: 127.0.0.1 
SERVER IP ADDRESS: 127.0.0.1 
============================================================= 

> 
2015-04-03 09:22:40,546 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-7-THoxHvfK5FoZZsejrSLh-cas01.example.org] for service [http://localhost:82/] for user [admin]> 
2015-04-03 09:22:40,546 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN 
============================================================= 
WHO: admin 
WHAT: ST-7-THoxHvfK5FoZZsejrSLh-cas01.example.org for http://localhost:82/ 
ACTION: SERVICE_TICKET_CREATED 
APPLICATION: CAS 
WHEN: Fri Apr 03 09:22:40 CEST 2015 
CLIENT IP ADDRESS: 127.0.0.1 
SERVER IP ADDRESS: 127.0.0.1 
============================================================= 

> 
2015-04-03 09:22:40,622 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-8-ISpe32fFhErzCeFcfUgJ-cas01.example.org] for service [http://localhost:82/favicon.ico] for user [admin]> 
2015-04-03 09:22:40,622 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN 
============================================================= 
WHO: admin 
WHAT: ST-8-ISpe32fFhErzCeFcfUgJ-cas01.example.org for http://localhost:82/favicon.ico 
ACTION: SERVICE_TICKET_CREATED 
APPLICATION: CAS 
WHEN: Fri Apr 03 09:22:40 CEST 2015 
CLIENT IP ADDRESS: 127.0.0.1 
SERVER IP ADDRESS: 127.0.0.1 
============================================================= 

>

我根据wiki.jasig.org/display/CASUM/Demo创建了一个SSL证书。我已经做了 keytool -genkey -alias tomcat -keypass changeit -keyalg RSA(与/姓=本地主机), keytool -export -alias tomcat -keypass changeit -file server.crtkeytool -import -file server.crt -keypass changeit -keystore ..\jre\lib\security\cacerts

而且在Tomcat的server.xml我加入

<Connector port="8443" maxHttpHeaderSize="8192"maxThreads="150" minSpareThreads="25" 
enableLookups="false" disableUploadTimeout="true" 
acceptCount="100" scheme="https" secure="true" 
clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 
keystoreFile="C:\workspace\.keystore" 
keystorePass="changeit" 
truststoreFile="C:/Program Files/Java/jdk1.7.0_76/jre/lib/security/cacerts" 
SSLEnabled="true" protocol="org.apache.coyote.http11.Http11Protocol" />

谁能给我一个线索在哪里可以找到解决这个问题?任何帮助,将不胜感激!

来源

2015-04-03 Geert

+0

你可以尝试使用HTTPS的应用程序tomcat(localhost:82)?如果可以,请提供更多日志吗? – longhua 2015-04-13 10:01:51

+0

谢谢你的回应。幸运的是,我已经找到了解决方案,问题在于我使用了CAS Server的一个较老的依赖项,而我使用的是最新的CAS Client依赖项。 Tomcat的设置似乎没有问题。 – Geert 2015-04-14 11:09:42

回答

1

无论何时您使用pgtUrl请求serviceValidate,CAS都会尝试创建一个pgt并将其发送给您的pgtUrl。

结帐演练here

如果您的应用程序在pgtUrl没有服务,CAS将记录这些错误。如果您未在应用程序中实施代理票务,则不应使用pgtUrl作为参数发出请求。这通常可以通过不设置代理回调url来完成。

如果您正在实施代理票务,则回调需要是https URL。然后您可以使用这些参数来获取代理票证。

在我的情况下,我在grails中使用了spring-security-cas插件。该文档建议设置cas.proxyCallbackUrlcas.proxyReceptorUrl,但是当这些设置CAS日志填充错误。我发现pgtUrl已设置,因为配置已设置。一旦我删除了这个配置,错误消失了。

我建议不要发送pgtUrl到serviceValidate并查看错误是否消失。

来源

2015-04-19 16:44:05

相关问题

 相关问题